Deployment Host Setup
Deployment takes place using Ansible which we will install in a venv to allow for careful management of the versions of the software in use.
For security, the deployment host must not run any network services listening on an external interface other than a hardened SSH daemon if being used remotely. Ideally, the deployment host is operated locally via its terminal.
Begin by creating a directory for the deployment framework to operate from that should be owned by your unprivileged
user and group and have filesystem permissions of 0700.
On systems with SELinux, a context of user_home_t should be appropriate.
This documentation will assume that you are working in the directory $HOME/ops/.
Virtual Environment Setup
Begin by creating and activating a virtual environment:
cd $HOME/ops
python3 -m venv venv
source venv/bin/activate
Then install the dependencies we will require:
pip install ansible
pip install bitwarden-sdk # optional: only required for bitwarden secrets manager
Install the Ansible collection and role dependencies
Create $HOME/ops/requirements.yml:
---
collections:
- name: bitwarden.secrets # optional: only required for bitwarden secrets manager
- src: git+https://guardianproject.dev/sr2/ansible-collection-core.git
version: main # optional: only required for our baseline role
- src: git+https://guardianproject.dev/sr2/ansible-collection-apps.git
version: main # required: contains the CDR Link deployment role
roles:
- src: git+https://github.com/ansible-lockdown/RHEL9-CIS.git
version: "2.0.3" # optional: only required for our baseline role
Install the collections, and roles if required:
cd $HOME/ops
ansible-galaxy collection install -r requirements.yml
ansible-galaxy role install -r requirements.yml
Create deployment data files and directories
Create the necessary directories that we will need in the next step:
cd $HOME/ops
mkdir {host,group}_vars